browserpass-extension
browserpass-extension copied to clipboard
browserpass
taking OTP shows password on the screen
It's impossible now to fill OTP while someone else is looking at your screen.
@532910 The behavior is identical to when using the OTP extension; you can still paste it without needing to open the details screen.
@maximbaz What do you think about this - worth hiding the password by default? Seems like a good idea to me.
We'd have to hide not only the password, but the entire edit area as well - seems like something is wrong with the design if we have to hide almost the entire contents of the popup...
Maybe if the OTP code is copied to clipboard this is good enough, just don't open this details view in front of someone else, but use Ctrl+V ?
Mmm, you make a good point - I guess the entire purpose of the details area is to view and edit the whole pass entry. That said, viewing usernames and OTP tokens is also a legitimate reason for being in that screen.
What if we had the edit area and password both hidden by default, but sharing a toggle? I.e. view the password and the edit area also becomes visible. It means just one click for the user to view all sensitive data. That seems like a reasonable middle ground to me.
Maybe if the OTP code is copied to clipboard this is good enough, just don't open this details view in front of someone else, but use Ctrl+V ?
But how should it be copied to clipboard? There is not button for this action.
But how should it be copied to clipboard? There is not button for this action.
It's automatic after filling, exactly as it was for the OTP extension.
@maximbaz The more I think about this, the more I think that we should be hiding both the password & edit field by default. One extra click seems like a pretty good compromise for the extra security it offers.
- It's not obvious.
- what should I do if filling has failed and I filled login/password manually?
-
Fair comment. We should document that behavior.
-
Copy it from the details screen, which is one of the reasons why I agree with you that the password should probably be hidden by default.
Another solution that I see is an OTP button (next to the password one for example).
@532910
Another solution that I see is an OTP button (next to the password one for example).
We can't do that unfortunately; we've discussed it before. Putting an OTP button there requires knowing if an entry contains an OTP seed, which requires decrypting the entry. Decrypting all the entries in the list is something we will never, ever do, because it has an extremely high performance penalty, especially for users who use a hardware token for crypto operations.
It can't, actually, for three reasons:
-
Browserpass builds that screen when you open it, in order to ensure it has exactly the same state as
pass. That screen also closes when it loses focus, or runs an action (e.g. copying a password, clicking somewhere else on the page, etc). -
Displaying a button only for entries we have decrypted means the list entries will be inconsistent in a non-obvious way.
-
If we cache a negative state, and the user subsequently adds an OTP seed, they won't see the button even though there should be one displayed.
Hi,
thank you, for developing this extension! I just used it the first time for logging into GitHub 8-)
If the OTP option is enabled, you could always show the OTP button in white and change it on click to green or red, depending on whether an OTP could be found and copied to the clipboard.
I like to use the pass extension "tail". On the detail plane, you could just not show the password and display the details using "pass tail" and update them using "pass tailedit" until a "display password" button is pressed and then display the passwort in a separate field and change to the normal "pass show" and "pass edit" behaviour for the details field. What do you think about this?
Best regards, federkamm
